Two Factor Authentication is currently the bright and shining star that everyone, from those who offer ‘free’ services to those who offer high value services, wants to know and emulate. When designing such implementations, it is important to understand the implications to identity assurance if the two-factor implementation does not correctly incorporate the principles of multi-factor authentication.
Why am I writing about such a fundamental aspect of authentication? Because I am sure that you, similar to me, still get involved in discussions regarding assurance level escalation where the concept of using multi-factor authentication is conflated with the usage of two authentication factors of the same type!
Let us start with some definitions:
Multi-factor authentication is a characteristic of an authentication system or a token that uses more than one authentication factor. The three types of authentication factors are something you know, something you have, and something you are.
The strength of authentication systems is largely determined by the number of factors incorporated by the system. Implementations that use two factors are considered to be stronger than those that use only one factor; systems that incorporate all three factors are stronger than systems that only incorporate two of the factors.NIST SP 800-63-2
Tokens can support just one authentication factor or it can support multiple authentication factors. Tokens in the latter category are typically something you have, which may be activated by something you know or are. These types of tokens are not in widespread use with public facing digital services, so am not going to be discussing them here.
What is relevant to this discussion is that multi-factor authentication using a combination of single factor tokens, if implemented correctly, can provide a higher level of assurance than each token on its own. The key to correct implementation is to make sure that the authentication factor combinations are different and not the same.
|Single Factor Tokens (from NIST SP 800-63-2)|
|Something You Know||Something You Have|
So, it is perfectly feasible to use a combination of password (Memorized Secret Token / Something You Know) and an SMS message containing a random code sent to a phone you control (Out of Band Token / Something You Have) to raise the assurance level, but not a combination of an SMS message and an OTP as they are both something you have.
The other related question that comes up often is "Can't I use a combination of userid/password and some additional attributes to raise the level of assurance?"
The answer to that is a 'NO' because of two particular points:
- Both passwords and attributes are something you know and a combination of the same factor does not raise the assurance level
- Knowledge-based answers such as attributes, while applicable for verification or as compensating controls, are not permitted as authenticators for very good reasons
If increased identity assurance is the reason you are moving to implement multi-factor authentication, be sure to use combinations of tokens with the appropriate authentication factors to get you the assurance level needed.
Question: Do you know of any two factor implementations that in reality are not MFA?
- NIST SP-800-63-2 - Electronic Authentication Guideline (PDF)
- NIST SP-800-63 Multi-Token Assurance Level Matrix
- Does KBA and Public Sector Online Services Have a Future?
- Are Federated Credentials and Continuous Identity Verification Compatible?
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.